Install the Server for a Single Server Deployment - Installation instructions and requirements for standard Cortex XSOAR single server deployments, with the app server and database server on the same machine. - Administrator Guide - 6.12 - Cortex XSOAR - Cortex

Install the Server for a Single Server Deployment - Installation instructions and requirements for standard Cortex XSOAR single server deployments, with the app server and database server on the same machine. - Administrator Guide - 6.12 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product

Cortex XSOAR

Version

6.12

Creation date

2023-04-30

Last date published

2025-12-10

Category

Administrator Guide

Abstract

Installation instructions and requirements for standard Cortex XSOAR single server deployments, with the app server and database server on the same machine.

In a standard Cortex XSOAR deployment, the app server and database server are installed on the same machine.

If you are deploying a signed installer:

You need to import the public key to the operating system. Open a ticket with Palo Alto Networks support to get the public key (see here). It is valid for six months.
If you are using engines or hosts in a multi-tenant environment, you need to install makeself.

Installation File Structure

This is the file and folder structure in a standard Cortex XSOAR installation.

By default, the .sh file is in /home/<user-name>. The .sh file installs the demistoserver_xxxxx.amd64.deb file in the /usr/local/demisto folder. You can change the default folder, if necessary.

Asset	Path
Binaries	`/usr/local/demisto`
Data	`/var/lib/demisto`
Logs	`/var/log/demisto`
Configuration	`/etc/demisto.conf` (not created if defaults are selected during installation)
Reports	`/tmp/demisto_install.log`
Install Log	`/tmp/demisto_install.log`

If you want to create different mounts for the /var/lib/demisto, /var/lib/docker, and /tmp partitions, it is recommended to allocate the following space to each partition (dependent on the expected amount of data, and the size of your incidents and indicators).

/var/lib/demisto: 200 GB (development) 1000 GB (production)
If using Elasticsearch, see Elasticsearch System Requirements.Elasticsearch System Requirements
If using Docker: /var/lib/docker: 70 GB (development) 150 GB (production)
If using Podman: /home: 70 GB (development) 150 GB (production)
/tmp: 10 GB (development and production)

To install Cortex XSOAR, you need to log in to Cortex Gateway, which is a portal for downloading the relevant image file and license. Downloading a file image from Cortex Gateway ensures you have the latest pre-configured software package for easy deployment and updates. If you have multiple or development tenants, you must repeat these tasks for each tenant.

Prerequisites

Verify the following information and requirements before you install Cortex XSOAR.

A Customer Support Portal (CSP) account.
You need to set up your CSP account. For more information, see How to Create Your CSP User Account.
When you create a CSP account you can set up two-factor authentication (2FA) to log into the CSP, by using an Email, Okta Verify, or Google Authenticator (non-FedRAMP accounts). For more information, see How to Enable a Third Party IdP.

Have the following roles assigned:

Role	Details
CSP role	The Super User role is assigned to your CSP account. The user who creates the CSP account is granted the Super User role.
Cortex role	You must have the Account Admin role. If you are the first user to access Cortex Gateway with the CSP Super User role, you are automatically granted Account Admin permissions for the Cortex Gateway. You can also add Account Admin users as required.

Role

Details

CSP role

The Super User role is assigned to your CSP account. The user who creates the CSP account is granted the Super User role.

Cortex role

You must have the Account Admin role.

If you are the first user to access Cortex Gateway with the CSP Super User role, you are automatically granted Account Admin permissions for the Cortex Gateway. You can also add Account Admin users as required.

To download the Cortex XSOAR images from Cortex Gateway, you need a license (or evaluation license via sales) assigned to your CSP account.
Review the System Requirements.System Requirements
Have root access.

How to install Cortex XSOAR

Log in to Cortex Gateway.
In the Available for Activation section, use the serial number to locate the tenant to download.
By default, the Production-Standalone license is selected. You can also select Dev.
If you want to use a production and a development tenant with a private remote repository, select Dev. If you don't select it now, you can install a development tenant later.
Select Download On Prem.
Click Next.
Under Choose Download Option, select Installer.
Select the checkbox to agree to the terms and conditions of the license and click Download.
Tip
In Google Chrome, to download the image and license files together, you may need to set the browser Settings → Privacy and security → Site settings → Additional permissions → Automatic downloads to the default behavior Sites can ask to automatically download multiple files.
Two files download: the demistoserver-xxxxx.sh installer file and a zipped JSON license file.
Note
You can copy the download link button from the Downloads section in your browser to get the token needed for offline installation.
(Optional) If you are deploying Cortex XSOAR using a signed installer (GPG), you need to import the GPG public key that was provided with the signed installer. Open a ticket with Palo Alto Networks support to get the public key (see here).
For example, you can use the rpm --import public.key command to import the public key into the local GPG keyring. Note that each operating system has specific requirements.
(Optional) If you are deploying Cortex XSOAR using a signed installer (GPG) you might need to manually install the makeself package by running the yum install makeself command.
Run the chmod +x demisto.sh command to convert the .sh file to an executable file.
Execute the .sh file, by running the following command.
sudo ./demisto.sh
Accept the EULA and add the information when prompted.
1. The Server HTTPS port (default is 443)
2. If you are using Elasticsearch, enter the Elasticsearch details, such as the URL, timeout, etc.
3. Type the name of the Admin user (default is admin).
4. Type the password (default is admin).
( Optional) After the installation has completed, do the following:
1. Confirm that the Cortex XSOAR server status is active, by running the systemctl status demisto command.
  If the server is not active, run the systemctl start demisto command to start the server.
2. Confirm that the Docker service status is active, by running the systemctl status docker command.
3. In a web browser, go to the https://serverURL:port to verify that Cortex XSOAR was successfully installed.
  When you open Cortex XSOAR for the first time you need to add the license.

Troubleshooting

In some cases, due to moving previous installation files, the installation can fail and the following error message is displayed:

mv: cannot stat '/var/lib/dpkg/info/demistoserver.postrm': No such file or directory Failed to execute: 'mv': exit status 1

There are two options to resolve this issue:

Make a note of the path to the demistoserver.postrm file. Rerun the installation using this path for the -- -prev-uninstall-script flag. Example: -- -prev-uninstall-script="/path/to/demistoserver.postrm"
Rerun the installation with the flag -- -use-prev-uninstall-script=true. Note that if you use this flag and have previously created a special ID & group for demisto users, the demisto user and group are deleted and recreated during installation.

Tip

Note

Troubleshooting